Even though Cerberus by Redwood focuses on secure file transfer, data security and compliance requirements extend far beyond our solutions. Since our application is frequently integrated with an organization’s file server, this two-part guide will examine how to keep your file server compliant with data privacy regulations.
What major regulations govern file server data security?
Global regulators have focused on data security requirements in recent years, passing dozens of laws that aim to improve data handling and access processes to prevent theft and improve privacy. We’ve listed some of the most prevalent, larger-scale data security regulations that affect file servers below.
European Union GDPR (General Data Protection Regulation)
The GDPR is a comprehensive data protection law that applies to organizations handling the personal data of EU residents, regardless of the location of the organization.
CCPA (California Consumer Privacy Act)
The CCPA grants California residents certain rights regarding their personal information and primarily focuses on ensuring organizations provide proper privacy to data subjects.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA sets the United States standard for protecting sensitive electronic patient health information (known as ePHI) in the healthcare industry and extends to any organization that may encounter protected health information, known as a covered entity.
FISMA (the Federal Information Security Modernization Act)
FISMA requires government agencies and those organizations providing services to the federal government to comply with National Institute of Standards and Technology (NIST) standards, such as FIPS 140-2, for data security and protection. Any organization doing business with a US federal agency must comply with FISMA, and many states have enacted the same requirements.
GLBA (Gramm-Leach-Bliley Act)
GLBA requires US financial institutions to implement security measures to protect customer financial information and explain their information-sharing practices to their customers.
FERPA (Family Educational Rights and Privacy Act)
FERPA requires educational institutions to implement measures to protect student education records and data, and outlines parents’ rights regarding access to their children’s records.
COPPA (Children’s Online Privacy Protection Act)
COPPA requires organizations that collect the data of children under 13 years of age to secure parental consent for any data collection and to maintain the confidentiality and security of collected data.
SOX (Sarbanes-Oxley Act)
SOX requires companies to implement internal controls and procedures for financial reporting, which includes safeguarding sensitive data.
What industry standards require file server data protection?
In addition to regulatory requirements, a number of industry bodies have provided their own data security guidance:
The International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC)
These joint standardization bodies provide process guidance and best practices for businesses operating in a number of industries, including information technology. They have adopted several standards that apply to data security.
ISO/IEC 27001 and 27002
The 27001 standard outlines the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity and availability. ISO/IEC 27002 complements 27001 by offering best practice recommendations for information security controls, helping organizations implement the necessary measures to protect their data.
ISO/IEC 27031
This standard provides guidelines for the preparation of information and communication technology for business continuity. It helps organizations ensure that they can continue to operate and protect their data in the event of a disruption.
ISO/IEC 27018
This standard provides guidelines for the protection of data in cloud computing environments, ensuring that cloud service providers implement appropriate information security measures.
Payment Card Industry Data Security Standard (PCI DSS)
Credit and debit card network providers have set up security standards to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS requires this environment to include secure network architecture, encryption, access control and regular network monitoring. Compliance with PCI DSS is mandatory for all merchants who wish to accept card payments globally and is enforced by major card brands.
NIST Cybersecurity Framework
The NIST framework provides a policy framework for private sector organizations to assess and improve their ability to prevent, detect and respond to cyberattacks. It consists of standards, guidelines, and best practices to manage cybersecurity-related risks.
This is quite a list, but right now it’s very high-level. In part two, we will discuss the common compliance requirements and steps you’ll need to take to secure your file server based on these requirements.